The U.S. Citizenship and Immigration Services and the Millennium Challenge Corporation epitomize just how different each agency’s journey is to a zero trust architecture.
While both have a majority of applications in the cloud, the similarities to reach the same end goal stop there.
Shane Barney, the chief information security officer at USCIS, said the focus of his agency is all about automation. After beginning their cloud efforts more than a decade ago and starting down the zero trust path more than five years ago, he said automation is the key to driving security further into the agency.
“How do we integrate the security operations center (SOC) and actually other teams within that automation portfolio? It’s much bigger, more expansive than just the SOC,” Barney said during a recent panel sponsored by Advanced Technology Academic Research Center (ATARC), an excerpt of which played on Ask the CIO. “When you’re talking about automation, you should talk about your security automation, which involves your entire security program. It should be at risk your governance, how you do documentation and all of that. The big push right now is for us to leverage some of these newer frameworks that have come out, that are allowing us to do, for example, automation of all of our documentation. I find it ridiculous that we do PDF files for security plans, I find absolutely no value in that. We are automating the way that the development teams communicate and how that communication then translates into documentation for our security plans or for updates to how we do things. It’s a big challenge. It’s a big, it’s a big undertaking.”
Barney said his team initially thought he was setting an unachievable goal, but it’s also the only way agencies can keep up with the ever-changing cyber threat environment.
“We have to get to the point where you’re doing threat hunting as a continual process of your cybersecurity program. We can no longer just rely on a checkbox security. It should have died a long time ago. But it’s still around and we’re trying to kill it off as quickly as possible,” he said. “There’s two different ways we approach automation. Sometimes we’re automating things that have never been done so there’s really no business practice wrapped around it. It’s either new or different, or somehow we’re changing up things. That makes it actually a little easier. When we’re faced with existing business processes, we’ll often model the existing business process with the automation and there are lots of reasons for doing it that way. What we found by modeling the existing business process, it helps us find and figure out what exactly it is we’re after.”
Every agency is facing specific deadlines to reach a level of maturity along the zero trust journey based on the Office of Management and Budget’s February 2022 strategy. OMB detailed 19 requirements agencies must achieve by 2024 to implement specific goals related to creating a zero trust architecture.
While Barney had to do some convincing of his staff that automation is achievable, Miguel Adams, the Millennium Challenge Corporation’s CISO, said he’s on a different kind of education campaign.
“I want a value proposition to the customer to be clear. If I don’t get the customers on board, if I don’t get their understanding, the program is going to be difficult to implement. So I’m taking time to go out to departments and divisions, teaching them the vernacular, teaching them what zero trust is, why we need to do this, and the benefits, I hope, the value proposition of what it could translate to them,” Adams said during the panel. “We travel a lot in the agency and our endpoints have been hardened for some time now. Most of everything we have is in the cloud. But if we don’t do this with our customers, they’re going to probably have a little reluctance and they’ll find other ways to do things that they find easier.”
At the same time, Adams is working within the Office of the Chief Information Officer’s infrastructure and development teams to ensure everyone is one the same page about zero trust, how to define it and what it means for MCC.
In the end, Adams said zero trust is a significant change for the technology and business sides, moving from implicit to explicit access control.
“We implement access control from the user level, though, somebody will go in there, and they’ll do the SharePoint permissions and everything else. But it goes beyond that. Data categorization for us is really just where we are starting, and we want the metadata behind that so that this process is automated,” he said. “We know there is going to be some pain in there because we’re not going to get the policy right the first time. So if the users don’t understand why we’re doing this, and how we’re moving this forward, then I think we’re setting ourselves up for failure.”
Speed and agility are required
Protecting the data, particularly at the metadata level, requires tools that can reach the endpoints. Barney said because USCIS has 150,000 endpoints, the speed and scale required, especially in a cloud environment, makes the challenge even bigger.
“To do that at scale, and especially at speed when you’re talking cloud environments, you’re going to have to automate that. So having certificate automation is like a building block to all things that you do in this space. It’s also the thing that most organizations lack. They don’t even think about it until everything goes dark one day, and they’re like, ‘Well, what’s going on?’” he said. “You’re not automating just the certification piece of it, you have to automate all the roles because each one of those things is going to have a role that’s going have some function in your organization.”
Barney said the automation is key so analysts can spend more time looking for anomalies in the network traffic or analytics that may show an attacker is trying to take hold of a system or preparing for an attack.
“The hardest part is applications and data. Doing data in stream and in flight, it’s unreal and difficult. It goes far beyond just the data in and of itself, because you’ve got to identify the subtypes of data, and when collections of data become sensitive versus non-sensitive. So all that being rolled into one getting your hands wrapped around is very difficult,” he said. “It is a huge team effort. It involves so much more than just me. I happen to run it, but it involves the chief data officer, it involves all of our engineering groups, all over data groups, and it involves all the business functions, because at the end of the day, whether I like it or not, if you’re smart, if you’re good at it, you’ll use what my one of my employees called smart friction.”
The idea of smart friction is making sure the end users know why and how the zero trust capabilities are going to affect them and why it’s important.
Similar to the effort Adams is spearheading at MCC with his customers.
“What is the value proposition to the end user is the question you have to answer. What are you going to deliver to the customer? If they don’t buy into it, that’s going to be an issue,” he said. “Education is key, and prioritize what you want them to learn. Don’t boil the ocean this is a journey.”